Apple has worked to distance itself from Java in recent years. The company deprecated its own version of the Java virtual machine for OS X, instead deferring development to Oracle itself. The browser plugin in particular has become a common vector for malware attacks, and Apple removed the Java Web plugin from recent versions of OS X last year. Those needing the plugin must install it separately.

Apple has also added additional security controls to OS X, including a mechanism that forces its Safari browser to use a minimum specified version of various plugins, such as Flash or Java. When security vulnerabilities are discovered in various plugins, Apple can update its Xprotect list to specify which version is acceptable. Earlier versions of plugins are then blocked from running within Safari.

Apple has used the Xprotect minimum version mechanism to effectively block the Java Web plugin by specifying a future version number that hasn't been released. It used this technique earlier this month when a particularly "critical" exploit in the plugin was discovered by security researchers and was determined to be "massively exploited in the wild."

Oracle worked to quickly fix the bug, and it released a new version (JRE version 1.7.0_11-b21) of the Java plugin a few days later. Apparently the fix wasn't complete—one part of the vulnerability still existed—but Oracle also set the plugin's default security setting to "high," which required users to actively click "OK" to run any unsigned or self-signed Java applets. Java applets signed by trusted authorities would still run without user intervention.

Unfortunately, the security mechanism itself turned out to be vulnerable due to additional bugs discovered in the Java frameworks. Security researchers revealed on Sunday that the bug could allow unsigned applets to run inside a browser without prompting a user to allow its execution.

It appears that Apple has once again decided to block the Java plugin from running on OS X by requiring an as-yet unreleased version (JRE version 1.7.0_11-b22) in Xprotect, according to MacGeneration. Users who rely on Java applets for specific functions, such as banking, will have to try alternate browsers such as Chrome or Firefox.

Xprotect's Web plugin blacklist requires a newer version of Java than the one Oracle is currently shipping.

Such alternatives might not be available for long, however. Chrome is increasingly blocking plugins with known security vulnerabilities. On Tuesday, Mozilla announced that it will soon block Java in Firefox. While Firefox already uses a mechanism similar to Xprotect, which requires minimum approved versions of plugins and uses "click to play" by default, a future version will block all content that requires Java, Adobe Reader, or Microsoft Silverlight to play. Users who want content based on those software frameworks will have to explicitly approve it by clicking on an icon.

I would hate to be on the Java team at Oracle. Most of the experienced people probably left awhile ago and the people remaining are getting kicked in the jewels pretty much every day. Given how much legacy has to be supported, every time they come up with an actual effective fix it probably gets shot down because it will break some old function.

Users who rely on Java applets for specific functions, such as banking, will have to try alternate browsers such as Chrome or Firefox.

Users who rely on web-based Java applets for banking will eventually have to try alternate sources of money.

While our CU's website doesn't need Java, when their website leaps into the credit card account, they say, Java is required. I asked (and griped). For the good deals and interest rate (or lack thereof) we get with our one card we're wont to seek an alternate card. C'mon, Visa! (Dang!)

At what point is it appropriate for the online community to turn its back en masse on Java, and declare it to have outlived its usefulness? This is what, week three ongoing of it being known to be a massive security hole, and the updates that Oracle has pushed out have utterly failed to plug the holes, and in some cases have introduced new, similar vulnerabilities. We wouldn't tolerate this from a first-tier software provider, but because it's a plug-in, it's tolerable?

At what point is it appropriate for the online community to turn its back en masse on Java, and declare it to have outlived its usefulness? This is what, week three ongoing of it being known to be a massive security hole, and the updates that Oracle has pushed out have utterly failed to plug the holes, and in some cases have introduced new, similar vulnerabilities. We wouldn't tolerate this from a first-tier software provider, but because it's a plug-in, it's tolerable?

Not in a very long time.

I would have uninstalled Java a long, long time ago, but the school registration system and vpn relies on it. Both haven't been upgraded in the past 3~4 years, despite repeated requests. Obviously we just hire this solutions provider that doesn't care about customer service.

And the same system design is used by hundreds of other universities and firms, they won't be able to get out anytime soon.

Edit: it just occurred to me that the bank I use in China has yet to upgrade to a online account manager that works with anything other than IE6.0. I dream of them actually using Java...

At what point is it appropriate for the online community to turn its back en masse on Java, and declare it to have outlived its usefulness? This is what, week three ongoing of it being known to be a massive security hole, and the updates that Oracle has pushed out have utterly failed to plug the holes, and in some cases have introduced new, similar vulnerabilities. We wouldn't tolerate this from a first-tier software provider, but because it's a plug-in, it's tolerable?

Why do we need a “one size fits all” solution?

You're now perhaps a bit smarter about pros and cons of java applets in the browser (as distinct from java apps or Android apps). When you bump into your bank or whomever using them, you can register a complaint with the author. If you're in a shop that writes them, you can talk to the project managers about your concerns that you're putting your customers at risk, which might be a risk to your firm (especially if you're trading in anything more financially susceptible than say, scientific images).

And for the other 99% of us, it's a reminder that there will ALWAYS be some new security issue pop up, and we can assess how well Apple & other platforms deal with 'em.

At what point is it appropriate for the online community to turn its back en masse on Java, and declare it to have outlived its usefulness? This is what, week three ongoing of it being known to be a massive security hole, and the updates that Oracle has pushed out have utterly failed to plug the holes, and in some cases have introduced new, similar vulnerabilities. We wouldn't tolerate this from a first-tier software provider, but because it's a plug-in, it's tolerable?

The problem is that java has always been just that, a massive security hole. The ease of cross platform development on it made it a low cost development solution and it's still seen in many enterprise markets as an effective way to develop a cross platform solution. It is being replaced by HTML5 and javascript solutions but those will be slow to come, especially to enterprise companies and schools that don't like to update their internal networks until after a major breach.

Has anyone ever noticed that if you change Java's update frequency to everyday or weekly (using its control panel icon) that it automatically changes itself back to once per month? The software refuses to check for an update more than once a month.

1) Change it to check once per day

2) Close the Java control panel.

3) Open the Java control panel and look at the schedule again, it will be back to once per month.

Yet in the update tab it says it will check once per week... So I don't know WTF is going on here.

I occasionally have to access Apple's Sales Web site (promo material for the school, demo content and such) and they use Java when you are downloading multiple files (you select it, a window pops up and will download multiple gigabyte disk-images sequentially. Essentially an integrated download manager). So using Safari today on a newer demo model I go the prompt for a "missing plug-in" which prompted me to download Java from Apple.

That downloaded, installed, I quit and reloaded the site, and then got a prompt for "disabled plug-in". "You need to download the newest version from the developer". So it took me to Oracle's site for Java 7.11. Downloaded and installed that, and reloaded the page.

Then I tried again and got a "blocked plug-in", which stated the version I had was out of date and required the newest version. So it sent me back to Oracle for Java...... 7.11 again. Essentially stuck in a potentially endless loop of inefficiency.

Then I realized that instead of clicking "download", you can click the file name which will show you the inidividual images of the set to download manually...... So it ended up not being a problem, but just a waste of time.

This isn't the first time that Apple's own internal software/websites have issues with their own practices. For example, their hardware testing software needed for repairs isn't Developer certified so it is blocked by Gatekeeper by default. Again, not an impenetrable issue nor something anyone who uses the software can't get by (I'd hope), but it's just stuff they do that go against their normal security practices.

"Java isn't installed by default because it's a security risk, buuut you need it to download filles efficiently from our site. Also, Gatekeeper is there for your safety, buuut you need to bypass it to download our required testing software."

This is a screenshot of terminal taken with OS X's integrated screenshot tool. Hitting Command-Shift-4 followed by spacebar allows you to shoot the window alone. It creates a PNG that includes a Quartz-rendered dropshadow.

The author probably has green on black text because it's easy to read and let's face it, it looks al little bad-ass.

So untwist your knickers, no one spent any time adding those drop-shadows, outside of the authors of the OS X tool over a decade ago.

What's up with the screenshots? How about just pasting in the text and formatting it appropriately?

It makes it look cooler. More Hacker like. But if it must be done, clicking on the image to get the code would be a nice addition.

Strange how the same people who hate skeuomorphism in Apple products seem to love it in this sort of context. Much like how the same people who decry "Mac sheeple" as buying computers based on "fashion" also like tricked out cases studded with LEDs, or tricked out RAM in bright colors...Ah humanity --- is there nothing you don't suck at?

(For the record, I LOATH skeuomorphism in any context --- Apple products, consumer electronics, or the presentation of information.)

Then I tried again and got a "blocked plug-in", which stated the version I had was out of date and required the newest version. So it sent me back to Oracle for Java...... 7.11 again. Essentially stuck in a potentially endless loop of inefficiency.

I ran into this a week ago and it frustrated me to no end.

The practice of assigning not-yet-existent versions as the minimum required and then telling your users that the version they have is out of date despite it being the most current one available is more than a little counter-productive, especially when you don't bother to communicate that they aren't honestly out of date but that they just don't trust the current version of the plug-in. >_<

I ended up wasting hours on this bullshit and blaming Java for the problem. And while Java is ultimately the root of the problem, if my browser had been honest with me, I could have moved on and done something productive with that time.

Looks like Apple wants to throw away the BYOD, use web applets for business needs, write once run anywhere market of professionals.

I have worked at places where Java Web Apps are the only way to clock in, manage people, get corperate messages, do your work, ect...

Look at Ars on the SAME DAY as this story came out --- about Chinese hackers infiltrating the NY TImes, reading email and acquiring employee passwords.

So your analysis is that stupid Apple should allow companies to be vulnerable in this way, rather than doing its best to protect them?

The vulnerability is not going to go away, regardless of how much it inconveniences you. The solution is to STOP USING THIS VULNERABLE SYSTEM, not to complain about how Apple sucks. Otherwise those companies you have worked at will find themselves in the same position as the NY Times.

You think no-one in China would like to infiltrate Marvell or Cisco or Facebook or whatever Silicon Valley company it was that you are referring to; or for that matter how about infiltrating a US bank --- that probably has some value. Heck, even infiltrating some boring company like P&G can probably generate revenue for the enterprising criminal via extortion of some sort.

Because of the way the OS X windowing system works, the screenshot tool can capture a single window with its alpha channel and save it as a PNG. This includes the drop shadow that's part of the window. No big deal.

The default OS X terminal style is plain black text on white background, but you can change it if you want. I'm guessing the person thought it would be cool to change it to some retro green style instead.

Or, you know Apple could implement a better system than just blacklisting. A proper warning telling the user what is happening with the plugin and allowing site by site whitelising would have been preferable. But, that was apparently to much trouble.

What this comes down to is that if your company has mission critical Java applets, then Mac's are no longer as usefull a tool for your users.

This effectively disables the xprotect, good for users that know what they're doing.

The road to hell is paved with good intentions.

Sadly what is going to happen is a number of users that don't know what they are doing will search for a solution and follow it blindly.

This is the same kind of thing that happened with Vista and the UAC, the cup overfloweth with people with malware and viruses because they 'disabled it' without understanding the concequences.

The road to hell is paved with good intentions; oddly enough is exactly how I describe Apple's handling of the java plugin. How hard is it for Apple to implement a click to activate solution, considering that it's already there; instead they disable your plugin entirely forcing you to wait on a plugin that isn't available and in all likely hood will still be as vulnerable as the last.

Apple's intentions are for a good reason, most users are inept, but the annoyances and inconveniences caused by services like xprotect, networkcapture, and gate keeper; (not to mention iOS inspired application restore and save states) just end up causing more harm than good. For the good of the few crippling the many is a poor way of addressing any problem.

And, to be succinctly frank, by this point in time if you still need java installed its probably because you don't have the luxury of going without. Could be a banking software, student information system, or a network filter portal to name a few.

*edit: Just got an email that this disrupted time sensitive state mandated testing.

For good measure, anyone who still needs the use of java 6 on an Apple system.

We all know Java is a ticking time bomb, but we can't all change our Java apps on a dime. Some of us need those apps to get work done in the short term, even if that means we're bending over, dropping our pants, and daring the malware to take its best shot.

I think it's a bit too much to block it this way; especially since I use a Safari plugin to make Java applets click to download anyway, so I can only enable the ones I need.

I'm hoping click to play soon becomes a standard feature for browsers, as it just seems silly not to be able to do this already; leave images and other "safe" things to download normally, but anything plugin based that can run code, or might require a large download shouldn't be there unless I want it. I even have movies set to click to download as well, as otherwise they just waste speed for stuff I might not actually want.

Can someone please clarify - does this article imply that Apple has the ability to prevent a Apple OS user from using Java? Because that's ridiculous if true.

Now don't get me wrong, I've been uninstalling java whenever I come across it for months now. But I could never accept a situation whereby some company controlled my computer that much. If I run Windows, I can still install java, security holes and all. Can you not do that with a Mac?

You can still install Java, you just can not use it in the default web browser. They have the ability to blacklist plugins for Safari, without user intervention or knowledge beforehand. Furthermore they do not tell you they blacklisted it, just that it needs to be updated (when there is no update).

Or, you know Apple could implement a better system than just blacklisting. A proper warning telling the user what is happening with the plugin and allowing site by site whitelising would have been preferable. But, that was apparently to much trouble.

Yes, because popping up wordy security dialogues lots of times per day is a tried and tested way to promote safe browsing by users

So the remote office that needs access to the payroll system is out of luck. All the people with Mac's that need to use the Corp VPN to do their job and get paid, no longer can. And a thousand other examples of Java used in the workplace via web browsers, that now no longer function for Mac users...